GOVERNMENT OF THE DISTRICT OF COLUMBIA e 

Office of the Chief Financial Officer \Z ^ 
Office of Tax and Revenue 

★ ** 



MEMORANDUM 

TO: Robert G. Andary, Executive Director 

Office of Integrity and Oversight 

FROM: Stephen M. Cordi, Deputy Chief Fin: 
Officer for Tax and Revenue 

DATE: February 1 5 2008 




SUBJECT: Response to the Management Alert: The Integrated Tax System's 

Systemic Weaknesses Hamper Internal Controls (IA:OTR:2803:C05) 



The Office of Tax and Revenue (OTR) is please to provide this response to the 
Management Alert entitled "The Integrated Tax System's Systemic Weaknesses Hamper 
Internal Controls (IA:OTR:2803:C05)". 

GENERAL COMMENTS: 

The Integrated Tax System (ITS) is comprised of several applications supporting the 
administration of the District's Individual, Business and Real Property taxes. ITS 
functionally includes, but is not limited to, the capture of tax return filing data, validation 
of tax information, processing of tax payments, creation of delinquent cases for 
collections tracking, application of penalty and interest, tax billing, generation of 
taxpayer notices, generation of tax refunds and executive reporting. ITS also supports 
online filing via the Internet, customer contact tracking and imaging of files returns. 

Implemented in phases from 2000 to 2005, the ITS replaced a set of four separate 
incompatible legacy systems built in the 1960's and 1980's that severely limited the 
District's ability to identify taxpayers that either owed taxes and/or were due a refund. 
Consequently, these stove-piped systems were woefully ineffective in providing OTR 
with the requisite information required for efficient tax information. 

ITS is the major factor that has allowed the District to realize the increase in tax 
collections that in conjunction with sound financial management practices has resulted in 
the District's outstanding fiscal position. 



I 



941 North Capitol Street, N.E., Washington, D.C. 20002 



Finding 1: Inadequate controls over the ability to make on-line adjustments 
without management approval. 

Response: Concur. 

OTR agrees there is minimal and inconsistent management supervision of the 
adjustments made to taxpayer accounts in ITS. We also agree that this lack of consistent 
supervisory oversight poses serious risk related to refunds, taxpayer liability 'and 
employee integrity. 

Recommendation: We recommend that OTR review this area, determine the 
positions that should have the capability to adjust taxpayer accounts and to what 
degree, and address the duties and responsibilities of managers to assure 
effectiveness and integrity of the process. In the interim, we recommend managers 
review on-line adjustments made by employees to ensure that adjustments are 
proper. 

OTR has begun a comprehensive review of security related to on-line ITS taxpayer 
adjustments. In this review each OTR director will be responsible for examining their 
administration's positions as well as the current ITS security user classes related to these 
positions to ensure that only those individuals who should have the capability to adjust 
taxpayer accounts have the system rights to do so. It is expected that each director will 
request the removal of specific access for those employees having inappropriate on-line 
rights as well as request the modification of ITS security user classes to better enforce on- 
line adjustment security. 

OTR will also review and address the duties and responsibilities of managers to assure 
effectiveness and integrity of the adjustment process and the administration of ITS 
security user classes going forward. 

In its current state of functionality, the ITS does not require manager review of all on-line 
adjustments made by employees. Only a select group of adjustments are sent to the 
review queue and there are often additional criteria that may force a review item. It is not 
viable to require all adjustments be reviewed on-line as this will cause unacceptable 
processing delays. OTR will review all the possible ITS taxpayer adjustments to 
determine those most critical for review. These will be added as new review items. 

OTR will analyze the feasibility of incorporating a hierarchical structure to control the 
approval of review items, requiring certain review items to be approved only by 
supervisors. This functionality does not exist currently in ITS. 

OTR will develop reports listing all on-line adjustments to taxpayer accounts sorted by 
supervisor. These will be distributed on a weekly basis to all OTR supervisors having 
subordinates with the ITS authority to make taxpayer adjustments. The reports will also 
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be distributed to all administration directors, the Director of Operations and I. The 
supervisors will review this report within three business days of receipt. If any concerns 
are identified, the supervisor will meet with those involved as well as the appropriate 
team leads to rectify the erroneous practice within one business day. 

A comprehensive training program for performing taxpayer adjustments will be 
developed and all appropriate personnel will be required to complete the training program. 
To ensure adjustment quality is improved as quickly as possible, a desk aid describing the 
procedures for making taxpayer adjustments will be developed as soon as possible and 
reviewed with all appropriate ITS users. 

Finding 2: Refunds generated from on-line adjustments have an improper audit 
trail and are bypassing the refund review queue. 

Response: Concur. 

OTR agrees that the ITS audit trail does erroneously indicate a system user, who makes 
an on-line adjustment to a taxpayer account that results in the automatic generation of a 
refund, as the approver of the refund. As a corollary, it is also possible that a system user 
who does not have the system security rights to approve a refund can make an adjustment 
that results in the automatic generation of a refund. 

Recommendation: We recommend that OTR management request a system 
modification in ITS to require refunds that result in a line item adjustment go to 
[thel review queue before being released for payment. This will allow for a 
thorough review process before the refund is sent to the taxpayer. 

Additionally, OTR management should request a modification to the audit trail 
program to ensure that it accurately reflects the person who modified and who 
approves an account. (See additional audit trail findings below.) 

As stated in Finding 1 above, it is not viable to require all adjustments be reviewed on- 
line as this will cause unacceptable processing delays. We will implement business rules 
within ITS to trigger a review item whenever a taxpayer account adjustment causes the 
tax liability to change by an amount greater or less than a specified amount. In addition, 
we will implement business rules within ITS to trigger a review item whenever a 
taxpayer account adjustment causes a refund greater than a specified amount to be 
automatically generated. 

OTR will also modify ITS on-line audit process to ensure it accurately reflects the person 
who modified or adjusts a taxpayer's account separately and distinctly from the person 
who approves account review items and/or refunds. 

Finding 3: User identification is not properly maintained in ITS. 
Response: Concur. 
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Recommendation: 

OTR should immediately discontinue the practice of recycling User IP's and issue 
unique identifiers to new employees. 

OTR should work with the Office of the Chief Technology Officer (OCTO) on the 
need to modify the ITS naming convention to ensure that unique User IP's are 
assigned to users. This will also improve internal controls and ensure that audit 
trails remain intact. 

OTR should perform a data clean-up on User ID information to ensure that the 
employee telephone number and organization are correct in ITS. 

OTR will immediately analyze the technical impact to ITS software related to 
discontinuing the practice of recycling ITS User ID's. During this analysis OTR will 
consult with the Office of the Chief Technology Officer. It is OTR's intent to modify 
ITS as soon as feasibly possible to discontinue the recycling of ITS User ID's. 

Information related to ITS users such as employee telephone number and organization 
can be modified on-line. Each administration within OTR will review this information 
and perform an on-line data clean-up for those users within their respective 
administrations. 

Finding 4: ITS User Classes are not properly maintained. 
Response: Concur. 

ITS user classes are the security profiles which define ITS job tasks (functions) a system 
user has authority to perform. Each ITS user is assigned to one or more user classes 
based upon that user's position or job description within OTR. OTR agrees lax control 
over ITS user classes and user class assignments has increased the risk of employees 
having the ability to adjust accounts or release refunds without having a business need to 
do so. 

Recommendation: We recommend that OTR, under the overall direction and 
oversight of a senior official, perform a comprehensive analysis of all OTR user 
classes and determine the job tasks that each will be allowed to perform. 

As stated in Finding 1 above, OTR has begun a comprehensive analysis/review of 
security related to on-line ITS taxpayer adjustments. In this analysis each OTR director 
will be responsible for examining their administrations' positions as well as the current 
ITS user classes related to these positions to 1) ensure each ITS user class is accurately 
defined to include only those job tasks appropriate to the related OTR position; and 2) 
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ensure that all individuals given access to on-line ITS functionality are assigned to the 
appropriate ITS user class or classes based on their position. Upon completion of this 
analysis the corresponding modifications will be made to the ITS On-Line Security 
Tables. 

A complete review of the operating procedures related to requesting new ITS user classes 
and assigning or removing system users from new and existing users classes will also be 
preformed. 

Oversight and direction related to these efforts will be the responsibility of Director of 
Operations for OTR. The Director of Operations reports directly to the OTR's Deputy 
Chief Financial Officer. 

If you have any questions, please contact Glen Groff, Acting Director of Operations, at 
(202) 442-6499. 

cc: Natwar M. Gandhi, Chief Financial Officer 
Lucille Dickinson, Chief of Staff, CFO 
Angell Jacobs, Director of Operations, CFO 
Glen Groff, Acting Director of Operations, OTR 
Michael Teller, Chief Information Officer 
James Hightower, Director, CIO 
Frank R. Milligan, Director of Internal Security, OIO 
Mohamad Yusuff, Director of Internal Audit, OIO 
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Scenario for Integrity Discussions with Senior OCFO Officials 
Official: Office: 



Date: 

• Review any prior projects, especially progress on recommendations 

• Solicit integrity concerns from DCFO/ACFO 

• If none readily identified, discuss operational risks, e.g.- 

• Confidentiality of information 

• Reissued salary payments 

• Procurement 

• If suggestion or question for topic, discuss integrity focus for annual 
employee presentations 

Notes: 

Prior integrity review: 
Areas of concern: 
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Nat war M. Gandhi, Chief Financial Ofiiccr 
Office of the Chief Financial Officer 

Stephen M. Cordi. Deputy Chief Financial 
Offices k/jAi>: an dj&e venue 

Sebastiafe^Mgo. Executive Director 
Office/^' Integrity and Oversight 

January 31. 2008 

Management Alert: The integrated Tax System's Systemic Weaknesses Hamper 
Internal Controls ( IA:OTR:2803:C05) 



Tile Office of integrity and Oversight (OIO) has assigned three auditors to die Office of Tax and 
Revenue io assist in the development of refund review criteria, perform an audi! of the tax sale, 
arid review operations to define audilable areas. 

As part of our task, we met with OTR staff and performed limited reviews of transactions that 
are processed through the integrated lax System (ITS). As a result, several systemic weaknesses 
within ITS have come to our attention. 

The purpose of this Management Aieri is to advise you of specific areas thai we have identified 
winch warrant immediate management attention, specifically: 

• Inadequate controls over the ability to make on-line adjustments without management 
approval: 

• lack of review for refunds generated as a result of on-line adjustments; 

• Vulnerabilities in the ITS User Identification process; and 

• Vulnerabilities in the maintenance of the ITS Employee User Classes. 



Finding 1 : Inadequate controls over the ability to make on-line adjustments without 

m an a it e in en t approval 

The ITS allows users u> adjust taxpayer accounts for various reasons, such as additional 
information received Iron! the taxpayer, abate penalty and interest, apply credits from other 
periods, report results of an audit of the tax return, or correct processing errors, such as a 
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* Additional!;-, . OTR management should request a modification 10 the audit trail program to 
ensure thai it accurately reflects the person who modifies and who approves an account. (See 
additional audit trail findings below.) 

Finding 3; User Identification is not properly maintained in ITS. 

\ be ITS User Identifications (Use;- ID'S) are assigned to OTR employees hy the Information 
Svsterns Administration (ISA) upon receipt of a completed request form authorized by 
management. The Office of the Chief Technology Officer i OCTO) prescribed the ITS naming 
convention which is currently three letters and three numbers (ex. JTS4W). The employee 
retains the FIT User If) through his/her employment with OTR. However, if the employee 
leaves C>TR or does not iug into the system lor more than 30 days, the ITS User ID may be 
deleted or recycled and given to a new employee. The impact of this practice i*» detrimental to , 
the maintenance of the audit trail. 
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Additionally, we found thai the User ID profile screen in ITS contains inaccurate mformaiioB 
relating to the employee information, such as an incorrecUelenhone number and organization. 

Recorism^noiiiion 

* OTR should immediately discontinue die practice ol recycling User ID's and issue unique 
identifiers to tie» employees. 

« OTR should work with OCTO on the need to modify the ITS naming convention to ensure 
that unique 1 Aer ID's are assigned to users. 'This will also improve interna! controls and 
ensum U;ai audit trails .remain intact . 

* OTR should perform « data clean-up on User ID information to ensure that the employee 
telephone number and organization information are correct in ITS. 

Finding 4; ITS User Classes are noi properly maintained. 



Umpiovech who use ITS are placed into user classes based on their pT duliev However, if a 
person -move.'; within the organization, their rights in me former organization are not consistently 



